Aliases: Win95.Padania.1335, W95/Padania, Win95.Padania.1335, Mid/W95Padania, Win95/Padania.1335
Variants: PE_PADANIA, Padania, W32/Padania.1335, Win95:Padania, W95/Padania

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Feb 2007
Damage: Low

Characteristics: The W95.Padd virus infects Windows executable files. When a contaminated file is opened, the virus puts itself into memory.

More details about W95.Padania

It is a safe memory occupant parasitic Windows virus. It resides in the memory of Windows, intercepts EXE file opening, hooks IFS API calls, and then copies itself to the extension of the document and changes file's header to get power when contaminated programs are opened. A short virus code is also printed to file PE header. The virus contaminates files in 2 ways depending on the structure of file. If the last part of the file is .reloc or relocations section, the virus overwrites it and removes relocation info in the header. Otherwise the virus appends one new part to the end of the file and overwrites its code.

To get power when contaminated file is run the virus also utilizes 2 ways: it either changes the program's start-up address, or patches the code of the program w/ “JMP_Virus”. In latter case the virus doesn’t get control immediately when a contaminated program is open, but only in case scraped program's branch gets power. To set up its hooker to the Ring0 Windows memory the virus utilizes the trick same with "Win95.MarkJ" virus. It scraps the PE so, that Win95 loads the code to the VMM Ring0 in place of standard memory.